This one is cross-browser, though:
http://demo.php-ids.org/?test=%24_%3Ddocument%2C%24__%3D%24_.URL%2C%24___%3Dunescape%2C%24_%3D%24_.body%2C%24_.innerHTML%20%3D%20%24___(http%3D%24__)#%3Ciframe%20src%3D%22javascript%3Atop.document.body.firstChild.nodeValue%3D''%2Calert('PWND%20%3A)')%22%3E%3C%2Fiframe%3E%3Cdiv%20style%3D'text-align%3A%20center%3B%20background%3A%20yellow'%3E%3Ch2%3EPWND%20by%20ma1%3C%2Fh2%3E%3Ca%20href%3D'http%3A%2F%2Fnoscript.net'%3EThere's%20a%20browser%20safer%20than%20Firefox...%20it's%20Firefox%2C%20with%20NoScript%3C%2Fa%3E%3C%2Fdiv%3E%3C%2Fbody%3E%3C%2Fhtml%3E

ma1 Wrote:
-------------------------------------------------------
> .mario Wrote:
> --------------------------------------------------
> -----
> > @Ronald: I agree when talking about GET
> Requests.
>
> So these are all illegal, right?
>
> http://en.wikipedia.org/wiki/Heroes_(TV_series%29
>
> http://kb.mozillazine.org/Label%3D%22%26blockImage
> Cmd._label%3B%22
>
> http://developer.mozilla.org/en/docs/Core_JavaScri
> pt_1.5_Reference:Global_Functions:eval
>
> And I didn't even add any query string :)
>
> As for the tilde character, ~, maybe you're too
> young to remember the time when most of the web
> URLs contained one (especially in .edu sites),
> because it's an Unix shortcut for user's home.
>
> Finally, ?param=& is quite common and legal, since
> it's sent every time an optional field is left
> empty in a form.

Yeah that's why Wikipedia sucks as an example because they work in a very different way by using a meta language, so that doesn't really counts. I mean in "normal" queries I never seen those chars, some do sure. But the only ones I use are pipes or spaces, which are pretty standard in developing. The rest I detect upon. While this said the quote set: ' " and less/greater signs > < without them (and illegal btw) it's is nearly impossible to construct a good injection, the rest is refinement upon them.

So when you detect them, you are half the way.

Oh yeah I'm way too old to remember the tilde ~
my first homepage had one, I'm close to 30 now, so I know this was a special reference character back then.

Just like: < > ' " chars are, ever saw one in a normal query?

Yeah, I know why I love standards, standards in developing just because of this mayhem alone.

clearly it's impossible to detect everything with RegExes alone, that is exactly why I block single chars like: ' " < > on the request uri in my .htaccess, cause they never happen, I have a few more but those are only for my site.

So like you proposed, I guess it would be a very good idea to have a triage upon such datasets. The previous examples are nice and all, but pretty useless to launch an sensible attack, Only a few characters that should be detect upon every instance.

Like ma1 said, it's not a good idea to block =&()[] because they (can) happen. At least the few I mentioned, are almost a must to launch a sensible attack: ' " < >

Love to hear anyones reaction upon it, since I already use this method for over a year now.

@all,@ma1: Nice ones aaand fixed ;) As already posted in the group the timed out one is pretty neat!

@Ronald: Yep - I guess we'll have to discuss that with christ1an and lars too but it thinks it's no bad idea. Let's chitchat later about the PHPIDS for PHP4 if you like. We are planning to release 0.3 an thursday and would be a nice feature to have this version aboard.

The mysterious y is a relic from when we had lots of false positives by the yahoo page slurp spider - and since no critical JS function matches the pattern y\w+ we just fixed the issue that way.

The location=name vector is evil - i hate the self contained stuff via name because it's almost undetectable. I mean okay - you can detect location[^\w\s]\n*name but that would just catch the un-obfuscated ones.